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CLAIMS 



1 LA method for communication path analysis, the method comprising: 

2 retrieving a first communication path rule and a second communication path rule for 

3 an access control device, each rule comprising at least one path attribute type specifying at 

4 least one attribute and at least one path operation type specifying at least one operation; 

5 inserting the first rule into a database; 

6 determining, for at least one path attribute type, whether an attribute of the second 

7 rule corresponds to an attribute of the first rule; and 

8 when the attribute of the second rule does not correspond to an attribute of the first 

9 rule, inserting the attribute of the second rule into the database, along with the at least one 
1 0 operation of the second rule. 

1 2. The method of claim 1 , wherein retrieving a communication path rule 

2 comprises parsing the rule from a firewall configuration file. 

1 3. The method of claim 1, wherein the at least one path attribute type comprises 

2 one or more of destination address, source address, service type, and communication time. 

1 4. The method of claim 1 , wherein inserting the first rule into a database 

2 comprises placing the at least one attribute and the at least one operation into a relational 

3 database having separate tables for the path attribute type and the path operation type. 

1 5 . The method of claim 1 , further comprising: 

2 determining whether a database query has been received; and 

3 if a query has been received, searching the database to determine whether any 

4 communication path rules satisfy the query. 

1 6. The method of claim 5, wherein the query criteria comprise one or more of 

2 destination address, source address, service type, and communication time. 
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2 determining whether an attribute of the second rule corresponds to an attribute of the 

3 first rule for at least one path attribute type comprises performing a set difference operation 

4 between attributes of the second rule and attributes of the first rule for the at least one path 

5 attribute type; and 

6 inserting the attribute of the second rule that does not correspond to an attribute of the 

7 first rule into the database comprises inserting the results of the set difference operation into 

8 the database. 

1 8. The method of claim 1 , wherein inserting the attribute of second rule that does 

2 not correspond to an attribute of the first rule into the database comprises attempting to group 

3 at least one type of non-corresponding attributes of the second rule into ranges. 

1 9. The method of claim 1 , further comprising: 

2 retrieving a first conimunication path rule for a second access control device; and 

3 inserting the first communication path rule for the second access control device into 

4 the database. 

1 10. The method of claim 9, further comprising: 

2 determining whether a database query has been received; and 

3 if a query has been received, searching the database to determine whether any 

4 communication path rules satisfy the query. 

1 11. The method of claim 1 , wherein determining whether an attribute of the 

2 second rule corresponds to an attribute of the first rule for at least one path attribute type is 

3 performed only for a set of operations. 
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1 12. A system for communication path analysis, comprising: 

2 a communication rule analyzer comprising: 

3 a database operable to store and search communication path rules, each rule 

4 comprising at least one path attribute type specifying at least one attribute and at least one 

5 path operation type specifying at least one operation; and 

6 an extraction tool operable to: 

7 retrieve a first communication path rule and a second communication 

8 path rule for an access control device, 

9 insert the first rule into the database, 

10 determine, for at least one path attribute type, whether an attribute of 

1 1 the second rule corresponds to an attribute of the first rule, and 

12 when the attribute of the second rule does not correspond to an 

13 attribute of the first rule, insert the attribute of the second rule into the database, along with 

14 the at least one operation of the second rule. 

1 13. The system of claim 1 2, wherein the database comprises a relational database 

2 having separate tables for the path attribute type and the path operation type. 

1 14. The system of claim 12, wherein the database is further operable to: 

2 determine whether a database query has been received; and 

3 if a query has been received, search the database to determine whether any 

4 communication path rules satisfy the query. 

1 15. The system of claim 1 2, wherein the extraction tool is operable to : 

2 perform a set difference operation between attributes of the second rule and attributes 

3 of the first rule for the at least one path attribute type to determine whether an attribute of the 

4 second rule corresponds to an attribute of the first rule for at least one path attribute type; and 

5 insert the results of the set difference operation into the database to insert the attribute 

6 of the second rule that does not correspond to an attribute of the first rule into the database. 
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2 group at least one type of non-corresponding attributes of the second rule into ranges to insert 

3 the attribute of the second rule that does not correspond to an attribute of the first rule into 

4 the database. 

1 17. The system of claim 12, wherein the extraction tool is further operable to: 

2 retrieve a first communication path rule for a second access control device; and 

3 insert the first communication path rule for the second access control device into the 

4 database. 

1 18. The system of claim 1 7, wherein the database is further operable to: 

2 determine whether a database query has been received; and 

3 if a query has been received, search the database to determine whether any 

4 communication path rules satisfy the query. 

1 19. The system of claim 12, wherein the extraction tool is operable to determine 

2 whether an attribute of the second rule corresponds to an attribute of the first rule for at least 

3 one path attribute type only for a set of operations. 
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1 20. An article comprising a machine-readable medium storing instructions 

2 operable to cause one or more machines to perform operations comprising: 

3 retrieving a first communication path rule and a second communication path rule for 

4 an access control device, each rule comprising at least one path attribute type specifying at 

5 least one attribute and at least one path operation type specifying at least one operation; 

6 inserting the first rule into a database; 

7 determining, for at least one path attribute type, whether an attribute of the second 

8 rule corresponds to an attribute of the first rule; and 

9 when the attribute of the second rule does not correspond to an attribute of the first 

10 rule, insert the attribute of the second rule into the database, along with the at least one 

1 1 operation of the second rule. 

1 21. The article of claim 20, wherein inserting the first rule into a database 

2 comprises placing the at least one attribute and the at least one operation into a relational 

3 database having separate tables for the path attribute type and the path operation type. 

1 22. The article of claim 20, wherein the instructions are further operable to cause 

2 one or more machines to perform operations comprising: 

3 determining whether a database query has been received; and 

4 if a query has been received, searching the database to determine whether any 

5 communication path rules satisfy the query. 

1 23 . The article of claim 22, wherein the query criteria comprise destination 

2 address, source address, service type, and communication time. 

1 24. The article of claim 20, wherein: 

2 determining whether an attribute of the second rule corresponds to an attribute of the 

3 first rule for at least one path attribute type comprises performing a set difference operation 

4 between attributes of the second rule and attributes of the first rule for the at least one path 

5 attribute type; and 
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7 first rule into the database comprises inserting the results of the difference operation into the 

8 database. 

1 25. The article of claim 20, wherein inserting the attribute of the second rule that 

2 does not correspond to an attribute of the first rule into the database comprises attempting to 

3 group at least one type of non-corresponding attributes of the second rule into ranges. 

1 26. The article of claim 20, wherein the instructions are further operable to cause 

2 one or more machines to perform operations comprising: 

3 retrieving a first communication path rule for a second access control device; and 

4 inserting the first communication path rule for the second access control device into 

5 the database. 

1 27. The article of claim 26, wherein the instructions are further operable to cause 

2 one or more machines to perform operations comprising: 

3 determining whether a database query has been received; and 

4 if a query has been received, searching the database to determine whether any 

5 communication path rules satisfy the query. 

1 28. The article of claim 20, wherein determining whether an attribute of the 

2 second rule corresponds to an attribute of the first rule for at least one path attribute type is 

3 performed only for a set of operations. 
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1 29. A method for communication path analysis, the method comprising: 

2 receiving a database query for a database comprising communication path rules for an 

3 access control device, each rule comprising at least one path attribute type specifying at least 

4 one attribute and at least one path operation type specifying at least one operation; 

5 searching the database for rules that satisfy the query; and 

6 generating a user interface to present the results of the search. 

1 30. The method of claim 29, wherein the database comprises a relational database 

2 having separate tables for the path attribute type and the path operation type. 

1 31. The method of claim 29, wherein the format of the query is structured query 

2 language. 

1 32. The method of claim 29, further comprising populating the database. 

1 33. The method of claim 29, wherein the database comprises a communication 

2 path rule for a second access control device. 
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34 An article comprising a machine-readable medium storing instructions 
operable to cause one or more machines to perform operations comprising: 

receiving a database query for a database comprising communication path rules for an 
access control device, each rule comprising at least one path attribute type specifying at least 
one attribute and at least one path operation type specifying at least one operation; 

searching the database for rules that satisfy the query; and 

generating a user interface to present the results of the search. 

35. The article of claim 34, wherein the database comprises a relational database 
having separate tables for the path attribute type and the path operation type. 

36. The article of claim 34, wherein the instructions are further operable to cause 
one or more machines to perform operations comprising populating the database. 

37. The article of claim 34, wherein the database comprises a communication path 
rule for a second access control device. 
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2 a communication rule analyzer comprising: 

3 a relational database operable to store, receive queries for, and search 

4 communication path rules, each rule comprising at least two path attribute types specifying at 

5 least one attribute and at least one path operation type specifying at least one operation, the 

6 database comprising separate tables for the path attribute types and the path operation type; 

7 and 

8 an extraction tool operable to: 

9 retrieve a first communication path rule and a second communication 

I o path rule for an access control device, 

I I insert the first rule into the database, 

12 perform a set difference operation between path attribute types of the 

1 3 second rule and the first rule, 

14 insert the result of the difference operation into the database, along 

15 with the at least one operation of the second rule, 

16 retrieve a first communication path rule for a second access control 

17 device, and 

18 insert the rule into the database. 
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